A while ago I wrote a blawgpost about a new NSE-script I wrote an even longer while ago, which can be used to dump out the contents of an RMI registry found during nmap scan:
http://www.swende.se/index.php/2010/12/dumping-the-rmi-registry-with-nmap/